Please, please, please stop using #passkeys to encrypt user data.

timcappalli@infosec.exchange

Please, please, please stop using #passkeys to encrypt user data. Please

Please, please, please stop using passkeys for encrypting user data

Passkeys are the future of authentication, but using them for data encryption is a disaster waiting to happen. Overloading these credentials creates a dangerous blast radius that can lead to the irreversible loss of a user's most sacred memories and documents.

Timbits (blog.timcappalli.me)

jasonkarns@indieweb.social

@timcappalli I think it’s even worse than this! Your do a great job explaining why it’s problematic for users who -don’t- know what’s happening (and also the increased risk of loss for everyone)

But there are second order affects on -security-. A user who -knows- their passkey is encrypting their data must now keep that key much longer than they would otherwise need to. Auth keys should be safe for frequent rotation and replacement, which means keeping their scope tight.

iinuwa@fosstodon.org

@timcappalli Good post! one clarification for readers: Bitwarden doesn't support PRF yet, but the screenshot suggests that Bitwarden will show this UI for passkeys with PRF keys. I expect Bitwarden to add support for prfUsageDetails and more clear messaging for deleting passkeys with PRF keys at launch of the feature.

stf@chaos.social

@timcappalli isn't that what age is also pushing?

glyph@mastodon.social

@timcappalli haha oops https://github.com/glyph/tokenring

(I don't think this *quite* qualifies for what you're talking about, as anything speaking ctap2 directly is not quite in the same category as doing PRF in the browser)

timcappalli@infosec.exchange

@stf age?

stf@chaos.social

@timcappalli https://words.filippo.io/passkey-encryption/

timcappalli@infosec.exchange

@stf oh, that. yes.

i@toot.pouyan.net

@timcappalli@infosec.exchange To add to the arguments: it also defeats the whole idea of having hardware security keys. If the secret is stolen or exposed somehow, decryption does not require access to the hardware token anymore.

i@toot.pouyan.net

@stf@chaos.social I just recalled that confer (LLM by moxie and co) is also using passkeys for encryption:

https://confer.to/blog/2025/12/passkey-encryption/

@timcappalli@infosec.exchange

CIRCLE WITH A DOT

Please, please, please stop using #passkeys to encrypt user data.

Please, please, please stop using passkeys for encrypting user data

Please, please, please stop using passkeys for encrypting user data

Please, please, please stop using passkeys for encrypting user data

Please, please, please stop using passkeys for encrypting user data

Please, please, please stop using passkeys for encrypting user data

Please, please, please stop using passkeys for encrypting user data